Less then two weeks ago, we covered the significant security flaw in AVG’s Web TuneUp software, and the company’s back and forth with Google security researcher, Tavis Ormandy. Ormandy has found a new set of bugs in Trend Micro’s Windows anti-virus product — bugs that are, if anything, worse than what we saw with AVG. Unlike the AVG problems, which involved a (technically) optional toolbar, installing Trend Micro’s antivirus software is a significant security risk.
Ormandy found that installing Trend Micro Antivirus also installed a password manager. This software automatically launches on startup and has a “feature” that allows for arbitrary code execution. Like AVG, Trend Micro responded in short order — but the company’s response apparently left much to be desired. Ormandy describes the patched version of the program as follows. (We’ve clipped from multiple messages for easier reading, each … indicates a new response in the thread):
Thanks Jean, I ran this on top of a Trend Micro Maximum Security 10 installation, and it looks like this fixes the most critical problem. Honestly, this thing still looks pretty fragile, I haven’t looked through the dozens of other API’s you’re exposing – and some just sound really bad
…
I happened to notice that the /api/showSB endpoint will spawn an ancient build of Chromium (version 41) with –disable-sandbox. To add insult to injury, they append “(Secure Browser)” to the UserAgent.
…
This thing is ridiculous, wtf is this:https://localhost:49155/api/showSB?url=javascript:alert(topWindow.require(“child_process”).spawnSync(“calc.exe”))
You were just hiding the global objects and invoking a browser shell…? …and then calling it “Secure Browser”?!? The fact that you also run an old version with –disable-sandbox just adds insult to injury.
I don’t even know what to say – how could you enable this thing *by default* on all your customer machines without getting an audit from a competent security consultant?
To summarize: Trend Micro’s password manager is so flawed, it could allow for malicious code execution even if users never use the service. Users who relied on Trend Micro could expose hashed passwords and plaintext Internet domains that they belonged to. Other security flaws allowed for arbitrary code execution in an old Chrome browser instance that was run without sandbox protection. The image below shows how Calc.exe could be remotely executed from within the browser: